Web Hacking
◾
321
Step 2
—Next, we would trap the authentication request with burp suite and then press “Ctrl+I”
to send it to the intruder.
Step 3
—Burp would automatically highlight the input fields that you can try to run your attack
against; however, we are interested only in the password field with the parameter (pwd). So
we will click on the “Clear” button at the right to clear all the inputs and click the “Add”
button twice.
Finally, we would choose is the “attack type.” Burp suite supports multiple attack types; a
description of all the attack types can be found on the burp suite’s
official documentation, for
which I will provide the link later. For the sake of this demonstration, we will choose “Sniper”;
this attack type is useful when we are trying to inject our payloads into a single position.
Step 4
—We will now move to the “payloads” tab, and under payloads options,
we will load our
wordlist against which we want to test this particular form. For demonstration purpose,
I would use the list of top 500 worst passwords by Symantec, for which I
will provide the
link later.
322
◾
Ethical Hacking and Penetration Testing Guide
Step 5
—Once we have everything set up, we will click on “Intruder”
at the top and click on
“Start Attack,” and it will try the wordlist against our target.
On the 15th request, we see a difference between the content length and the status, which
probably means that we can correctly guess our password. Please note that
the success rate of this
attack solely depends upon the quality of your wordlist.
Dostları ilə paylaş: 
